gShield is a ipchains-based firewall script which should run
'out of the box' for most folks with minimal fuss.

gShield has the following features:

- handles dynamic or static IP's without problem
- can selectively enable IP Masqing
- adds tcpwrapper-like functionality for access to services
- aggressive defaults; only default 'open' service is auth
- easily configurable via a well commented BSD-style conf file.
- can include user defined rulesets within the script itself
- (v1.5) can port-forward key system services (using ipmasqadm)

Changes from GMMF (Godot's Modified Modular Firewall)

- 99% of everything is handled via the configuration file
- the script is cleaner and a bit smarter about the way it drops packets
- much easier to customize


* Note for 1.5 *

You can find ipmasqadm at http://juanjox.kernelnotes.org/
This is -required- if you want to use gShield to forward ports.


----------------------------------------------

A few things to help folks along:

All major configuration settings are stored in /etc/gShield.conf
You WILL need to look over this file before running the firewall,
but for most cases, the defaults should work fine for most
folks. Go ahead, open another term and take a peek.

gShield does -not- (in this version at least) check to ensure the
interface is active. This can lead to problems if one runs the
script whilst not connected. Please ensure your interface is 'up' 
before running the script. Under Debian this is easily accomplished 
via: ln -s /etc/firewall/gShield.rc /etc/ppp/ip-up.d/firewall

gShield is rather aggressive in it's defaults:

- Everything is blocked to reserved ports (i.e., < 1023) except for auth
- All syn connections are blocked for unreserved ports (i.e., > 1023)
- All non-essential ICMP's are dropped (i.e., echo replies and the like)

All the above can be altered via gShield.conf.

----------------------------------------------

ACL's

gShield tries to incorporate Access Control lists in a more
direct manner than the 'usual' approach with ipchains. 

An ACL is simply a list of hosts which are allowed to connect
to pre-defined services. In this way, we can protect core
services (such as POP, SMTP, FTP, etc) from 'the world', while
still having unrestricted access to 'trusted' hosts.

A good example:

You wish to have access to your home machine from work,
but worry about leaving the sorts of services you'd
like access to open to the world. One way to accomplish
protecting these services would be via tcpwrappers or xinetd.

gShield takes this a bit further by allowing you to set what
hosts even get to have a packet touch the service in the first
place.

In the case of our 'I want to have access to my home machine
from work' scenerio, we simply drop the ip (or range) of
our work machine into /etc/firewall/client-hosts.

Any ip (or range) in client-hosts is allowed access
to those services as defined in /etc/firewall/client-services, while
'other' hosts cannot. So one can easily restrict access to services
by distinguishing between 'clients' and 'the public'.

----------------------------------------------

Other ACL's

/etc/firewall contains the following 'other' files:

-rw-rw-r--   1 root     root          171 Dec  5 22:27 blacklist
-rw-rw-r--   1 root     root          230 Dec  5 22:28 bot-net
-rw-rw-r--   1 root     root          475 Dec  5 22:30 client-hosts
-rw-rw-r--   1 root     root          525 Dec  5 22:31 client-services
-rw-rw-r--   1 root     root          895 Dec  5 22:32 closed-ports
-rw-rw-r--   1 root     root          464 Dec  5 22:34 time-servers
-rw-rw-r--   1 root     root          196 Dec  5 22:35 user-rules

client-hosts and client-services we've touched on already.

* blacklist

	drop 'problem' hosts in here. gShield will drop -all-
	connections from these hosts (and log them at no extra cost!)

* bot-net

	IRC bots like to connect to high (unreserved) ports, which gShield
	drops by default (as per it's default SYN policy). Lot's of other
	services like to establish high TCP connections as well -- simply
	drop those hosts in here (if you need unrestricted access from
	the public to high ports, this can be configured in gShield.conf)

* closed-ports

	These are ports you simply want -fully- closed off for whatever
	reason. In most cases, this is over-kill given gShield's defaults,
	but there are ports I block for the benefit of masqed machines
	(such as NetBus, etc), and which make use of UDP (which gShield
	does not block on the high end)

* time-servers

	Having your time synced is a good thing. Having that port open
	to the whole world may not be. Dump the time-servers you tend
	to favor in here to allow them to have access to time services.
	For example, I use chrony to keep my time accurate, and the servers
	chrony uses for this are also listed here. This allows them to do
	their time-sych'n magic.	

----------------------------------------------

Feel free to contact me with suggestions and/or problems

Godot (godot@mindspring.com)

I can also generally be found on EFNet, #Linuxhelp
